[plug] Advanced IPSec routing

Steve Baker steve at iinet.net.au
Mon Oct 10 14:38:07 WST 2011

On 10/10/11 13:14, Andrew Cooks wrote:
> On Mon, Oct 10, 2011 at 6:34 AM, Steve Baker<steve at iinet.net.au>  wrote:
>> I think that the problem is that B decides that packets going to network E
>> do not go through an IPSec tunnel (as E is not connected to the gateway B
>> system, directly or via IPSec) then by the time the new routing rule above
>> says 'send it to gateway C' it is too late to go through any IPSec tunnels.
> Hi Steve
> I think you need to set the route in ipsec on gateway B with something like:
> # ipsec eroute --add --eraf inet --src A.A.A.A/24 --dst E.E.E.E/24 --said %pass
> I hope that helps and good luck.
> Andrew

Hi Andrew,

Thanks for the suggestion, however my system uses NETKEY stack instead 
of KLIPS, which means the 'ipsec eroute' command doesn't work. (Although 
it also doesn't complain when I run the command).

Apparently I should use 'ip xfrm' commands, but there is little 
documentation of that and I can't tell if it just sets up the SA 
policies or if it also does routing. Also can't figure out how to use 
that command to make it route first then choose an IPSec tunnel second.


More information about the plug mailing list